[TriLUG] OT - limiting access to destination ports
Christopher L Merrill
chris at webperformance.com
Thu Apr 24 10:56:38 EDT 2008
So I've read some PF docs and looked at our existing pf.conf file.
After these lines:
> block in
> pass out keep state
if I add these lines (where $int_if is the internal firewall interface
and my machine is 192.168.1.220):
> pass out quick on $int_if proto tcp from 192.168.1.220 to any port 80
> pass out quick on $int_if proto tcp from 192.168.1.220 to any port 443
> pass out quick on $int_if proto tcp from 192.168.1.220 to any port 53
> block out quick on $int_if proto tcp from 192.168.1.220 to any
will this accomplish my goal of limiting anything on my machine (including
flash and my browser) to only connect on ports 80/443 on the various
web servers I visit (and allow 53 for DNS resolution)?
TIA!
Chris
Robert Dale wrote:
> I don't know _how_ to do this on _BSD_ - linux, yes ;) - but
> conceptually, you create some outgoing rules like
>
> allow 80
> allow 443
> deny all
>
> On Wed, Apr 23, 2008 at 4:22 PM, Christopher L Merrill
> <chris at webperformance.com> wrote:
>> I want to block the Flash player in IE (on XP) from connecting to anything
>> other than ports 80 and 443 on the destination servers. Note this is for
>> testing some specific stuff - the goal is to force flash to use these ports
>> instead of other ports for streaming video. I haven't found a way for
>> Windows Firewall to do this. I've tried TCP/IP port-filtering - but haven't
>> found the magic combination that blocks the videos but allows the browser
>> to operate.
>>
>> At my disposal, we have a BSD firewall in the office that all our machines
>> are sitting behind. In addition, I have a Linux machine that is configured
>> with Apache and mod_proxy. At home, I'm behind a Linsys WRT54 (stock firmware).
>>
>> Note that this need only be a temporary solution - something I can turn
>> on for a few minutes for testing and then turn off - so preventing
>> _anything_ on our network from connection to anything besides ports
>> 80 and 443 would be acceptable as long as the browser is still functional
>> (I guess that implies DNS queries would need to get through as well?)
>> I think I can determine which destination IPs I want to block, so
>> a solution that is limited to a few IPs would work, too. If the solution
>> was only functional for a specific source IP address, that would work, too.
>>
>> Any suggestions how I might accomplish my goal (in 2 hours or less)?
>>
>>
>>
>>
>> --
>> ------------------------------------------------------------------------ -
>> Chris Merrill | Web Performance, Inc.
>> chris at webperformance.com | http://webperformance.com
>> 919-433-1762 | 919-845-7601
>>
>> Website Load Testing and Stress Testing Software & Services
>> ------------------------------------------------------------------------ -
>> --
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>
--
------------------------------------------------------------------------ -
Chris Merrill | Web Performance, Inc.
chris at webperformance.com | http://webperformance.com
919-433-1762 | 919-845-7601
Website Load Testing and Stress Testing Software & Services
------------------------------------------------------------------------ -
More information about the TriLUG
mailing list